Configure Your Severity Metric

Required User Role: Administrator

By default, Tenable.io uses CVSSv2 scores to calculate severity for individual vulnerability instances. If you want Tenable.io to calculate the severity of vulnerabilities using CVSSv3 scores (when available), you can configure your severity metric setting.

Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely by plugin ID, port, and protocol.

For information about severity and the ranges for CVSSv2 and CVSSv3, see CVSS vs. VPR.

Note: This setting does not affect the following:
  • Tenable.io Web Application Scanning vulnerabilities.
  • Tenable.io Container Security vulnerabilities.
  • The calculations displayed in the SLA Progress: Vulnerability Age widget. To modify your SLA severity, see Configure Your SLA Settings.

To configure your severity setting in the new interface:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the General tile.

    The General page appears. By default, the Severity tab is active.

  4. Select the metric that you want Tenable.io to use for severity calculations.

    • CVSSv2 — Use CVSSv2 scores for all severity calculations.

    • CVSSv3 — Use CVSSv3 scores, when available, for all severity calculations. Use CVSSv2 only if a CVSSv3 score is not available.

  5. Click Save.
  6. The system saves your change and begins calculating severity based on your selection.

    All vulnerabilities seen before the change retain their severity. After the change, all vulnerabilities seen during scans receive severities based on your new selection. Because of this, you could see two sightings of the same vulnerability have two different CVSS scores and severities.

    Tip: A vulnerability instance is a single instance of a vulnerability appearing on an asset, identified uniquely by plugin ID, port, and protocol.